Expose Strategy

Overview

The expose strategy defines how clusters manged by Kubermatic are made available to the outside world.

Note: The expose strategy of a cluster can not be changed after its creation without rotating all
of its nodes, as the kubeconfig of the kubelet will point to the wrong address.

Currently, there are three possible ways to expose clusters:

Nodeport

A DNS record is created for each Seed cluster with a value of *.<<seed-cluster-name>>.base.domain
pointing to one or more of the seed clusters nodes. A NodePort will be opened for every user
cluster, clients will use the combination of the DNS entry and the port to connect.

This is very simple to set up and does not have any requirements onto the seed cluster.

Global LoadBalancer

It is also possible to use one LoadBalancer per seed cluster instead of NodePorts. When doing so,
the NodeportProxy has to be deployed into the seed. It will create a Kuberentes Service of type
LoadBalancer. Afterwards, a DNS entry for *.<<seed-cluster-name>>.base.domain has to be created
that points to the LoadBalancer`s address.

Whenever a new cluster is added or deleted, a controller that is part of the NodePortProxy will
add/remove a port on the LoadBalancer points to a set of Envoy proxies. These envoy proxies will
then redirect the traffic to the correct pods.

The envoy proxies are needed, because Kubernetes Services are not supported as an endpoint of another
Kubernetes Service.

This requires a functioning cloud provider that realizes services of type LoadBalancer. It is very
cost-efficient, as only one such service is needed.

One LoadBalancer per user cluster (Kubermatic 2.11+)

A third option is to create one LoadBalancer per user cluster. This is done by setting the
kubermatic.exposeStrategy key in the Helm chart to LoadBalancer.

This will result in one service of type LoadBalancer per user cluster being created. The
NodeportProxy will be automatically deployed by Kubermatic to use this one service for the
traffic of both the OpenVPN and the apiserver.

This is simple to setup, but will result in one service of type LoadBalancer per cluster
Kubermatic manages. This my result in additional charges by your cloud provider.